Cybersecurity Medical Devices

Artificial Intelligence (AI), General Data Protection Regulation (GDPR) and Cybersecurity: 10 Misconceptions about Medical Device Software

Artificial Intelligence (AI), General Data Protection Regulation (GDPR) and Cybersecurity: 10 Misconceptions about Medical Device Software


Medical Device Software (MDSW) is a growing, fast-evolving industry. However, manufacturers often must face a regulatory framework which does not evolve at the same speed. Regulation for medical devices is restrictive, since it needs to guarantee the safety of users (e.g. Health Care Professionals) and the target population (e.g. patients). Moreover, it has experienced a significant increase in requirements with the approval of the new regulation MDR 2017/745. Manufacturers of MDSW who have never placed a medical device on the market, or who did it under the former Medical Device Directive (93/42/EEC MDD) might have some misconceptions about the process. The purpose of this article is to address some of the most common (and not always right) assumptions and provide useful and truthful information about the process of reaching the conformity assessment under MDR, for successfully placing an MDSW on the market. 


Cybersecurity Medical Devices

Here are 10 common misconceptions about Medical Device Software, and their respective clarification:


1. MDSW is classified as low risk under the MDR 2017/745. 

False! On the contrary, only a small portion of MDSW is classified with the lowest risk class (class I) according to the new regulation (MDR2017/745 annex VIII) and related guideline (MDCG 2019-11). To classify a Medical Device Software, two main aspects must be taken into account: 1) the severity of the state of the healthcare situation or patient condition and 2) the significance of the information provided by the software to the healthcare situation related to diagnosis/therapy. After taking these factors into consideration, most MDSW is classified in higher classes, from Class IIa to Class III, which entails increased regulatory requirements. 


2. Agile development practice and IEC 62304 requirements cannot co-exist because they rely on fundamentally conflicting principles. 

Agile methodologies (i.e. SCRUM) are compatible with the standard for the development of Medical Device Software. Actually, there exists a Technical Information Report providing guidance on the use of Agile practices in the development of medical device software (AAMI TIR45:2012). It is up to the manufacturer to decide the Software Development Lifecycle (SDLC) of the product. However, there are multiple challenges that a manufacturer must face, especially in terms of procedures (alignment with the Quality Management System), validation of tools and documentation.


3. I have developed a Machine Learning model that underwent thorough testing and showed excellent technical performance, so I should be able to access the market in a few months. 

All MDSW embedding AI must comply with applicable MDR 2017/745 requirements prior to being placed on the market. This means that the processes and the timing to access the market are not accelerated compared to other medical devices. In addition to the general regulation, there are some relevant specific considerations for the Clinical Evaluation of Medical Device Software as per MDCG 2020-1: For any MDSW (including AI-based MDSW), Clinical Evaluation should demonstrate the valid clinical association/scientific validity, technical performance, and clinical performance. This guidance on clinical evaluation of MDSW provides a framework for the determination of the appropriate level of clinical evidence required for MDSW. The provisions of this guidance document should be taken into consideration from the early stages of software development.


4. I can place my AI-based Software Medical device on the market if I have trained, tested and validated it with datasets coming from open access repositories.  

It depends. It is important to verify that sufficient information is available on the origin of the clinical data. Multiple requirements might be fulfilled to ensure the validity of the protocol used to collect the data as well as the compliance of the data collection methods with GDPR: Was the study run according to the Good Clinical Practices and standards? Was GDPR followed? Was the data collection performed by certified professionals? It is also important to adopt good machine learning practices during model training, testing and validation, e.g., that training and testing datasets should be independent. For more information, check these guiding principles for Good Machine Learning Practices. 


5. If my MDSW fails to ensure personal data protection, it is not considered as harm. 

According to the MDR 2017/745, all parties involved in its application shall respect the confidentiality of information and data obtained. Even if the failure of the software does not result in a lesion or physical injury, disclosure of personal yields infringement penalties according to MDR2017/745 and GDPR Regulation (EU) 2016/679. Therefore, data processing, involving transmission over a network or storage needs to be properly tackled by design strategies (e.g. minimum data collection, pseudo anonymisation) and complemented with ICT techniques (encryption, Secure layers, etc.). To conduct Risk management is a “must”, and any residual risk must be mitigated as much as possible.

6. If my device is not storing data, I do not need to comply with GDPR.

Even if the device does not store data, it still might be, for instance, linked to a website that collects some personal information related to the user or the practitioner. It is important to conduct an analysis of the whole lifecycle of the product and identify which processes need special attention as per the GDPR requirements. 


7. If I am working with anonymised data, I do not need to comply with GDPR. 

That is true if data is completely anonymised. However, most manufacturers rather work with pseudo-anonymised data, meaning that there is a “key” that can be used to link back the clinical data with the personal information of the patient. In this case, the manufacturer needs to be compliant with GDPR regulations. 


8. I can keep the collected data for as long as I want. 

Similarly, that depends on whether the collected data is fully anonymised. If that is the case, there are no time restrictions for its storage, but if the data is pseudo-anonymised, there are restrictions. GDPR regulation does not establish specific time windows within which the storage is allowed, instead, it mentions that “personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing”. 


9. If I use a cloud server, I do not need to worry about cybersecurity because the service provider takes care of it. 

Be careful, most cloud servers are not specifically designed to host confidential data or clinical data. When choosing a cloud server for such purposes, it is good to select an ISO 27001 certified provider. That means that the provider has a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. However, be proactive! Use all relevant information sources (Common Vulnerabilities and Exposures (CVE) for vulnerability monitoring, testing tools such as Trivy, Shodan, OWASP, etc.), and monitor all processes concerning maintenance and infrastructure via health checks.  


10. If the Software Medical Device is a standalone software intended to be used in a host, I do not need to take precautions on cybersecurity. 

False! MDR 2017/745 requires manufacturers to foresee possible threats caused by misuse of their device and to take actions to prevent it. Besides, MDR also requires reducing as far as possible the risk associated with the possible negative interaction between software and the IT environment the MDSW operates and interacts with. So, it is important to take cybersecurity preventive measures to identify possible threats, vulnerabilities, assets and impacts. A manufacturer needs to consider security in a holistic approach as the nature of assets is diverse: Hardware (including the infrastructure), Software (protection against most common threats such as ransomware, malware, legacy software, Software of Unknown Provenance, etc), Data (Personal Identifiable Information PII, Health Records, Systems configuration, etc), and Users (considering misuse, unauthorised users, protection of sensitive functionalities, etc). 



Placing MDSW on the market requires knowledge of a broad variety of topics, including regulation and related guidelines for clinical validation, GDPR, cybersecurity, risk management and quality control. 


With an extensive track record working on similar problematics, Medidee can support you with services ranging from training courses and coaching, up to completing the strategy to successfully bring your product to the market.


Contact us today to discuss your project! 



This article was written by Dr Nuria Gresa, Dr Stamatia Pagoulatou and Dr Gustavo Hernandez.

IVD Manufacturers

[ARTICLE] IVD Manufacturers' New Year's Resolutions: 6 Reasons to Start the Performance Evaluation of your Device Now

Once a device is used for diagnostic purposes on human specimens, the European Union expects, in accordance with Article 5(3) of Regulation (EU) 2017/746 (IVDR), a performance evaluation of the device as a demonstration of compliance with the relevant General Safety and Performance Requirements (GSPRs) and this regardless of the device’s risk class.


As defined within Article 2(44) of the IVDR this means an “assessment and analysis of data to establish or verify the scientific validity, the analytical and, where applicable, the clinical performance of a device”.


The performance evaluation shall be based on a continuous process and follow a defined and methodologically sound procedure, based on an established device-specific plan, i.e., the Performance Evaluation Plan (PEP). The identified performance and safety data, which shall allow to demonstrate compliance with relevant GSPRs related to the device’s performance characteristics, is then consolidated in the Performance Evaluation Report (PER). The PER is a part of the device’s technical documentation and shall be reviewed by the Notified Body during the conformity assessment procedure. De facto, manufacturers of legacy IVD devices will need to invest resources in evaluating the performance of their devices prior to their transition to IVDR.


Here are 6 reasons why manufacturers should not put off this endeavor and start the process now



1. It ensures alignment with the current "state of the art"


In accordance with the requirements of the Regulation (Annex XIII), a PEP must include “a description of the state of the art, including an identification of existing relevant standards, Common Specifications, guidance or best practices documents”. Implementing the PEP as soon as possible will ensure that the device is still aligned with the current state of the art and does not require major design improvements or additional testing according to the latest guidelines. This is especially important because “the performance evaluation of an IVD must consider the benefit-risk ratio in light of the state-of-the-art” and as further stipulated in MDCG 2022-2, “risks for IVDs are often generated from a series of events which may involve several factors such as inadequate design characteristics as well as immature technology”. Therefore, establishing the state of the art is the first step in the preparation of the performance evaluation. As it involves a systematic and methodological approach to the literature review, it requires time and resources.



2. It allows for an early assessment of the level of clinical evidence required


The level of clinical evidence needed to fully demonstrate the performance and safety of the device as claimed by the manufacturer will depend on the characteristics of the device and its intended use. Manufacturers transitioning their devices to IVDR shall assess as soon as possible the level of clinical evidence required. This includes verifying that all performance and safety claims, including those used for marketing purposes, are supported by an adequate level of evidence. Doing so will either allow for timely follow-up actions to collect additional performance data in case some claims are not yet sufficiently supported by clinical evidence, or to reword the device’s intended use taking into consideration the existing clinical evidence.



3. It helps to identify and react to gaps in the analytical performance


Conducting a performance evaluation in advance will allow the manufacturer to identify gaps in the data supporting the analytical performance of the device in a timely manner. If gaps are identified, the manufacturer will be able to generate new evidence in accordance with common specifications, guidelines, or applicable standards, to demonstrate that the IVD in question is capable of reliably, accurately, and consistently detecting the analyte, and thus GSPRSs linked to the analytical features of the device are adequately addressed.


IVD Manufacturers


4. It determines if sufficient clinical performance data is available


It is also important to promptly determine whether sufficient clinical performance data is available to support the device's intended use, as well as the claimed indications. The level of clinical evidence should be consistent with the clinical strategy defined in the PEP. As per MDCG 2022-2 “the manufacturer should demonstrate that the IVD has been tested for the intended use(s), target population(s), use condition(s), operating- and use environment(s) and with all the intended user group(s)”. This last aspect is particularly important when it comes to devices intended for point-of-care testing, where manufacturers need to ensure that the clinical data reflects the device’s use environment. Available clinical data may come from the manufacturer’s own clinical performance studies, Post-Market Surveillance (PMS) or peer-reviewed literature. Identifying gaps in advance will allow time to plan and eventually conduct a clinical performance study in compliance with IVDR and ISO 20916:2019, if necessary. It is important to remember that under Article 56(4) of the IVDR, “Clinical performance studies in accordance with Section 2 of Part A of Annex XIII shall be carried out unless it is duly justified to rely on other sources of clinical performance data”.



5. It supports risk identification and management


MDCG 2022-2 (6.2) states that “the risk management system should be carefully aligned with and reflected in the performance evaluation process of the IVD, considering the clinical risks to be addressed as part of the performance evaluation, performance studies, and post-market performance follow-up(s)”. Hence, manufacturers must ensure that all risks identified through the performance evaluation process are adequately addressed within the device’s risk management documents. Timely completion of the performance evaluation will allow the manufacturer sufficient time to address newly identified risks, if necessary.



6. It facilitates robust Post-Market Surveillance and Performance plans


In the event that the time frame is still too short to address all identified performance gaps through appropriate V&V testing or clinical performance studies, the manufacturer will be able to work on a robust PMS and Post-Market Performance Follow-up (PMPF) plan aligned with the performance evaluation outcome. Additionally, in case new PMS and PMPF data were collected after the initial performance evaluation, the PEP and PER should be updated in light of this new data prior to the device’s conformity assessment. As this always requires a certain amount of time for proper implementation, it is best to plan ahead.



In conclusion, the performance evaluation may identify some gaps in the quantity or quality of available clinical evidence or in the completeness of the device’s risk management documentation or PMS/PMPF plan. Depending on the extent and nature of these gaps, it may take time to address them, especially if a clinical performance study is needed, which may require months or years. Additionally, manufacturers should keep in mind that a conformity assessment procedure can take 18-24 months, which means that for legacy IVD devices classified as Class D or C according to IVDR, compliance with GDPR is expected by May 26, 2025 and 2026, respectively.



With this in mind, we advise you to place the performance evaluation of your device as a top priority on your to-do list for 2023. Contact Medidee today to discuss your needs and how Medidee supports you in addressing them:


Don't miss any of our upcoming IVD content! Follow Medidee on LinkedIn


This article was written by Dr. Julianne Bobela.

[WEBINAR] How to navigate the EU MDR requirements for Clinical Evaluation



Professionals in the MedTech industry know that Clinical Evaluation is a key process that must be performed for all types of medical devices. However, a lot of manufacturers still struggle with navigating the related requirements and defining the level of clinical evidence necessary to demonstrate conformity with the regulatory frameworks.


In this recorded webinar, Sofia Spjuth from Veranex/Devicia and Dr. Johannes Leidner from Medidee/Veranex share key stages of the clinical evaluation process and provide insights and experiences related to some hot topics including but not limited to:

  • Clinical Evaluation Strategy
  • Safety and Performance Parameters
  • Data appraisal
  • Post-Market Clinical Follow-up
  • Clinical Evaluation of Medical Device Software (MDSW)



Please submit the form to watch:

Webinar Clinical Evaluation Reports - Australian companies

[WEBINAR] Clinical Evaluation Reports



Currently, we observe that the reviewers of Notified Bodies during MDR conformity assessments are gradually converging in terms of review practices and acceptance criterion. During this webinar, you will get an overview of the latest updates related to the preparation of clinical evaluation reports (CER).


Our expert Dr Jérôme Randall will guide you through:

  • The notions of “performance-based CER” and “well-established technologies”
  • Methods for scoping and launching simplified PMCF (Post Market Clinical Follow Up) studies for gathering the clinical data that may be missing.



Please submit the form to watch:

Performance Evaluation Plan & Report Webinar

[WEBINAR] Performance Evaluation Plan & Report

With the implementation of the IVDR, for In Vitro Medical devices (IVD), a performance evaluation needs to be conducted to demonstrate a device’s performance and safety evidence. This performance evaluation follows a defined Performance Evaluation Plan (PEP) and is documented within a Performance Evaluation Report (PER).


But what exactly is a performance evaluation and what does it consist of?
What are the IVD devices which need a performance evaluation?
How do I establish the strategy for performance and safety substantiation?
When is the right moment to start with a device’s performance evaluation?
What about legacy devices?
Is there any guidance or a standard that I can use?


In order to avoid delays in the development and marketing approval process, it is important to understand the full workflow of an IVD’s performance evaluation. Join us for this on-demand webinar during which our expert Julianne Bobela will guide you through an IVD’s performance evaluation workflow, including:


· The documentation which constitutes a performance evaluation
· The type of data needed to support a device’s performance and safety
· The device-specific needs for performance evaluation, based on its group, risk class, and intended purpose
· The lifecycle of a performance evaluation and its interconnection with other documents of the technical documentation


Please submit the form to watch:

Clinical Investigation & In Vitro Diagnostic Devices Webinar

[WEBINAR] Clinical Investigation & In Vitro Diagnostic Devices

With the implementation of the IVDR, clinical performance studies on In Vitro Diagnostic Medical devices are becoming a central pillar of the device’s clinical evidence.

But what exactly is a clinical performance study?
Which IVD devices require collection of clinical evidence through a clinical performance study?
When is the right moment in a device’s lifecycle for conducting a clinical performance study?
How do I handle clinical data gathered through previous clinical performance study?
Is it mandatory to use the ISO 20916 standard?


In order to avoid delays in the marketing approval process, it is important to understand the full clinical workflow for each type of IVD device. Join us for this on-demand webinar during which our expert Julianne Bobela will guide you through an IVD’s Clinical workflow, including:

· The type of clinical data needed
· The device-specific needs for clinical performance studies
· The characteristics of interventional clinical performance studies
· The regulatory requirements for conducting clinical performance studies

Please submit the form to watch:

Techletter | Medical Device Software incorporating Artificial Intelligence:

[TECH LETTER] Medical Device Software incorporating Artificial Intelligence: Generating sufficient evidence under the MDR



Artificial Intelligence (AI) and Machine Learning (ML) technologies have the potential to transform medicine by aiding in the detection, diagnosis, and management of diseases. As digitalization of healthcare generates massive amounts of data, medical device manufacturers are increasingly incorporating AI technologies to automate the analysis of such data targeting to create innovative products and improve patient care. This turn towards AI-enabled medical device software (MDSW) is also evidenced by the plethora of studies evaluating the feasibility of artificial intelligence systems across a wide range of health-related indications.


While the interest in medical applications of AI is strong, inconsistent and incomplete collection of evidence remains one of the barriers to the assessment of the safety and performance of AI-MDSW by regulatory bodies.

According to the provisions of Article 61(1) of the MDR EU 2017/745, it is the responsibility of the manufacturer to specify and justify the level of Clinical Evidence necessary to demonstrate conformity of their medical device to the relevant General Safety and Performance Requirements (GSPRs); this level of clinical evidence should be appropriate in view of the device characteristics and intended purpose.


Determining the appropriate level of evidence might be challenging, especially in the case of AI-enabled MDSW which significantly differs from established medical device software in terms of technical and clinical aspects. At the same time, there is no explicit regulatory guidance for conformity assessment of AI technologies, delineating appropriate and practical evidence generation approaches.


Accordingly, this Technical Letter aims to provide an overview of the considerations for evaluating evidence regarding AI-MDSW.




Please submit the form:

Read this article on Claims & their substantiation

[TECH LETTER] Claims and their substantiation

This Downloadable Techletter discusses Article 7 of the MDR & IVDR and its implications in terms of the safety and performance data required to substantiate a given claim.


The claims made by a manufacturer regarding the intended use, safety, and performance of their medical device or IVD medical device, both in their form and content, indubitably play an important role toward the commercial success of their product.


It is therefore in the manufacturer’s interest to formulate the most appealing claims possible on the device. This can in certain cases lead to the communication of exaggerated or ambiguous claims on the device, particularly in, but not limited to, promotional material.


It is however imperative for manufacturers to have a clear understanding of what they are allowed or have the obligation to communicate to the user or patient regarding the intended purpose, safety, and performance of their medical devices.


MDR/IVDR Article 7 states in essence that device manufacturers may not communicate any claim on the device which is not adequately supported by objective data. In this context, manufacturers should early in their device development stages define plans and methods in order to capture the safety and performance data necessary to substantiate any claim they intend to make on their devices.



Please submit the form:

How to have a compliant Technical Documentation

[WHITE PAPER] MDR Compliant Technical Documentation

This downloadable white paper co-authored by Medidee and BSI, one of the largest Notified Bodies, gives manufacturers an interpretation of how the changes necessary for the move from compliance with the MDD/AIMDD to the MDR might be implemented, as well as practical hints on what needs to be considered in order to maintain technical documentation as stipulated by the MDR. Although being issued back in 2019, its content remains widely relevant and applicable when it comes to the constitution of MDR-compliant Technical Documentation.


As a Manufacturer, you may have wondered how to ensure your Technical Documentation Complies with EU Medical Device Regulation 2017/745. Indeed, before placing a medical device on the European market, manufacturers need to produce technical documentation providing evidence of conformity with the relevant legislation.


Technical documentation had to comply with the Medical Devices Directive (MDD) 93/42/EEC or the Active Implantable Medical Devices Directive (AIMDD) 90/385/EEC (referred to as ‘MDD/AIMDD’ hereafter).

Since 26 May 2021, manufacturers willing to obtain or renew a CE certificate or to issue a Declaration of Conformity (DoC), are required to have their technical documentation compliant with the Medical Device Regulation (MDR) European Union (EU) Regulation 2017/745 (referred to as ‘MDR’ hereafter).


However, as indicated in Article 120 of the MDR, after 26 May 2021, medical devices can still be placed on the market under the provision of the MDD/AIMDD, providing the certificate was issued prior to this date, that manufacturer continues to comply with either one of the directives and that no significant changes are made in the design and intended purpose of the device.


But Manufacturers of such devices will also have to meet other requirements, which are detailed in Article 120 of the MDR and referenced in this white paper. The certificates issued in accordance with MDD/AIMDD after 25 May 2017 remain valid until reaching their expiry date, but in any case, they become void latest on 27 May 2024.

This necessitates changes for the manufacturers, Competent Authorities (CAs) and Notified Bodies (NBs) on how the technical documentation should be developed and handled.


As mentioned in the first paragraph from Annex II of the MDR, ‘the technical documentation and, if applicable, the summary thereof to be drawn up by the manufacturer shall be presented in a clear, organised, readily searchable and unambiguous manner and shall include in particular the elements listed in this Annex’.

Reading the MDR it becomes evident that the requirements for technical documentation have been raised and will also be subject to more scrutiny by the CA/NB as appropriate.


Please submit the form:

FDA Breakthrough Devices Program (BDP) and Safer Technologies Program (STeP) for Medical Devices

[ARTICLE] FDA Breakthrough Devices Program (BDP) and Safer Technologies Program (STeP) for Medical Devices

Launched in 2016, the FDA Breakthrough Devices program (BDP) is intended to provide patients with more rapid access to medical devices that are foreseen to enable a more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions.
The new FDA Safer Technology Program (STeP) which is operational since March 2021, aims to accelerate patient access to medical devices that are expected to improve the safety of treatments targeting diseases that are less serious than those qualifying for the existing BDP.
A BDP or STeP designation for a device notably allows companies to benefit from additional FDA input, flexibility with regards to clinical study design and quality system and manufacturing information requirements, and prioritized review during the premarket phase; and can therefore considerably diminish the time necessary for US market approval.
This article will review the principles, features, requirements, application processes, and benefits, of both programs.

The Breakthrough Devices Program (BDP)


The FDA Breakthrough Devices Program (BDP) is a voluntary program intended to ensure patients with timely access to certain medical devices and device-led combination products that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. It is available for devices and device-led combination products subject to review under a premarket approval notification (PMA), premarket notification (510(k)), or De Novo classification request (“De Novo Request”).
Companies designated for the BDP benefit from additional feedbacks from the FDA during the premarket phase, although the designation does not change the statutory standards for PMA, 510(k) clearance, or De Novo marketing authorization. The Breakthrough Devices Program replaced the previous Expedited Access Pathway (EAP) and Priority Review for medical devices.
The FDA has issued a guidance document on the Breakthrough Devices Program that provides detailed information on the program principle, on the procedure for designation request, and on the program features.
Devices are eligible for breakthrough device designation if both of the following criteria are met:

  • The first criterion is that the device provides for more effective treatment or diagnosis of life-threatening or irreversibly debilitating human disease or conditions.
  •  The second criterion is that the device also meets at least one of the following:

a) Represents breakthrough technology
b) No approved or cleared alternatives exist
c) Offers significant advantages over existing approved or cleared alternatives
d) Device availability is in the best interest of patients
When a device is granted the Breakthrough Device Designation, the manufacturer is ensured direct interactive communication with a sufficient number of well-trained FDA staff, including senior management, with expertise in the application of the BDP.
Interaction with the FDA to obtain feedback on the device development is managed through a variety of options, including “sprint” discussions (i.e. discussions with the goal of reaching mutual agreement on a specific topic within a set time frame (e.g. 45 days)), request for discussion on a Data Development Plan, and request for discussion to reach clinical protocol agreement.
With regards to the last aforementioned point, the FDA will take steps to ensure that the design of clinical trials is as efficient and flexible as practicable. It will, for instance, allow the study design to be adapted during the clinical study and/or approval process.
Moreover, the FDA may allow for part of non-clinical and clinical data to be collected in the post-market phase, provided there are no major safety concerns. In addition, with the BDP designation there is also a prioritized review of regulatory submissions, including Q-Submissions, Investigational Device Exemption (IDE) applications, and marketing submissions.
Finally, for PMA submissions that typically require a preapproval inspection, the FDA intends to expedite the review of manufacturing and quality system compliance for BDP-designated devices.
If the manufacturer can show compliance with the statutory and regulatory requirements by other means than submitting the all the items listed in the FDA guidance “Quality System Information for Certain Premarket Application reviews”, the FDA may accept less quality and manufacturing information. This may occur for instance when the manufacturer has a good track record for quality system compliance and that no new manufacturing issues that could negatively affect product quality or performance are identified. In appropriate cases, the FDA may decide it is acceptable to conduct the inspection of the manufacturing sites after the device has been approved through the BDP.

How to apply for the Breakthrough Devices Program?


To apply for the BDP program, manufacturers shall submit a special Q submission named “Designation Request for Breakthrough Device”. The submission should provide information to describe the device, the indications for use, regulatory history, and it should explain in details the rationale why the device meets the requirements to be eligible for the program. If other requests for FDA feedback are concomitantly pending, manufacturers should consider submitting them after the FDA renders the BDP designation decision as a BDP designation may affect the feedback that FDA provides on the other requests.
The FDA will issue a decision on the BDP designation within a maximum of 60 calendar days, and request any additional information it may require within 30 days. The BDP designation request typically takes the form of an approximately 30 page submission file and usually requires a few weeks for preparation, if necessary with the support of a consulting firm.
Despite a report that the FDA may be open to making public devices having received BDP designations in the future, the decision to do so remains for the moment at the discretion of the manufacturers participating in the program.
It is therefore difficult to obtain reliable data on how frequently BDP designations are solicited and granted. Nonetheless, according to an article published in May 2020 by MedTech Dive who was able to obtain data relating BDP designations from the FDA, there were 11 devices awarded with a BDP designation in 2016, 19 in 2017, and 55 in 2018, 136 in 2019 and 50 and in 2020 as of May.
Thus, the BDP program is increasingly gaining popularity, showing roughly a two-fold increase in BDP designations per year since the launch of the program in 2016. Of these, five BDP-designated devices received full marketing authorization in 2019 (three PMAs, one 510(k), and one De Novo).
No information regarding the number of devices that won final marketing authorizations under the program in 2020 could be retrieved. Nonetheless, this number is expected to increase proportionally to the number of granted designations.

The Safer Technology Program (STeP)


The new Safer Technology Program (STeP) for Medical Devices was designed as a complement to the BDP. The STeP is highly similar to the latter, but tailored for medical devices and device-led combination products that are reasonably expected to significantly improve the safety of treatments targeting an underlying disease or condition less serious than those qualifying for the BDP.
These may include for example devices intended to treat or diagnose non-life-threatening or reversible conditions. As for the BDP, STeP is also available for devices and device-led combination products subject to review under a premarket approval notification (PMA), premarket notification (510(k)), or De Novo classification request (“De Novo Request”). The FDA issued the final guidance on the Safer Technologies Program on January 6th 2021, and anticipated accepting program entrance requests as of March 8th, 2021.
For a device to be eligible for STeP designation, it should meet the following criteria:

  • The first criterion is that the device should not be eligible for the Breakthrough Devices Program (BDP) in reason of the less serious nature of the disease or condition treated, diagnosed, or prevented by the device; and
  • The second criterion is that the device should be reasonably expected to significantly improve the benefit-risk profile of a treatment of diagnostic by means of substantial safety innovations that provide for at least one of the following:

a) A reduction in the occurrence of a known serious adverse event,
b) A reduction in the occurrence of a known device failure mode,
c) A reduction in the occurrence of a known use-related hazard or use error, or
d) An improvement in the safety of another device or intervention
Similarly to a BDP designation request, manufacturers should apply for a STeP designation by submitting a Q-Submission requesting inclusion in the STeP program. This request should be highlighted in the accompanying cover letter. The request should provide information to describe the device, the expected safety improvement, the indications for use, regulatory history, and justification as to why the device meets the specific STeP eligibility factors.
More information on the contents of a Q-Submission Request for inclusion in STeP may be found in appendix I of the STeP final guidance. Once the program will be operational, the FDA intends to request any additional information it may require on the request for inclusion in STeP within 30 calendar days, and to issue its final decision within 60 days.
Once a device is designated for the Safer Technology Program, the manufacturer can choose to interact with the FDA through the same options as for the BDP, including interactive and timely discussions with FDA staff, senior management engagement, early engagement on Data Development Plans, and sprint discussions. Similarly as within the BDP program, the FDA will also allow for a certain degree of flexibility on clinical trial design and for the collection of non-clinical and clinical data.
In appropriate cases, the FDA also intends to expedite the review of manufacturing and quality system compliance for STeP designated devices by demanding less quality system and manufacturing information, or waiving the requirement for a preapproval inspection of the manufacturing sites.
As the STeP program is not yet operational at the time of writing this article, no data is currently available regarding the number of STeP designations and approvals.
In summary, the FDA Breakthrough Devices and Safety Technology Programs provide considerable advantages that can significantly reduce the time for US market access for devices fulfilling either set of specific inclusion criteria described above. It shall be emphasized that the BDP and STeP programs are complementary and will run in parallel. The BDP addresses devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions, whereas the STeP is intended for devices expected to increase the safety of treatments or diagnosis of less serious diseases. Once designated for either of the programs, the manufacturer can expect interactive and timely interaction with the FDA, senior FDA management engagement, priority review, and flexibility with regards to the pre/postmarket balance of data collection, clinical study design, and quality and manufacturing information requirements.

How Medidee can help


Does your medical device potentially meet the criteria for inclusion in the BDP or STeP programs? Our dedicated US market specialists at Medidee are well-experienced with the Breakthrough Devices Program, and may assist you determining whether your product qualifies for inclusion in the BDP or STeP programs, in preparing and submitting your BDP or STeP designation request, and in subsequent interactions with the FDA once the designation is granted. Contact us now!


This article was written by Dr Jérôme Randall.